fall 2006 security issues in wireless sensor networks professor choong seon hong kyung hee...
Post on 19-Dec-2015
214 views
TRANSCRIPT
Fall 2006
Security Issues in Wireless Sensor Security Issues in Wireless Sensor NetworksNetworks
Professor Choong Seon Hong
Kyung Hee UniversityKyung Hee University
cshongkhuackrcshongkhuackr
2Fall 2006
OutlineOutline
Security Principles Security Terms General Classification of Attacks Wireless Attacks WSN Security Key Management Secure Routing Threats attacks amp Defenses Conclusions References
3Fall 2006
Security PrinciplesSecurity Principles
We define security in the context of two groups ldquoThe good guysrdquo and ldquoThe bad guysrdquo
It doesnrsquot matter if we are talking about people robots or computers
In our definition if there are no ldquobad guysrdquo you are secure by default
Imagine a perfect world with no crime ndash there would be no need for a police force Security tries to create such a perfect world not globally but in a controlled space
It tries to create a bubble within which there are no bad guys at a given time So it is as though the bad guys donrsquot exist
4Fall 2006
High-level look at High-level look at six principlessix principles of security of security thinking (Philosophy of mistrust) thinking (Philosophy of mistrust)
Donrsquot talk to any one you donrsquot know Accept nothing without a guarantee Take everyone as an enemy until proved
otherwise Donrsquot trust your friend for long Use well-tried solutions Watch the ground you are standing on for
cracks
5Fall 2006
1 Donrsquot talk to any one you donrsquot know1 Donrsquot talk to any one you donrsquot know
In the context of security this means you must be 100 certain about the identity of a device or person before you communicate
It is the job of security designers to bring you as close to 100 as you need
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
2Fall 2006
OutlineOutline
Security Principles Security Terms General Classification of Attacks Wireless Attacks WSN Security Key Management Secure Routing Threats attacks amp Defenses Conclusions References
3Fall 2006
Security PrinciplesSecurity Principles
We define security in the context of two groups ldquoThe good guysrdquo and ldquoThe bad guysrdquo
It doesnrsquot matter if we are talking about people robots or computers
In our definition if there are no ldquobad guysrdquo you are secure by default
Imagine a perfect world with no crime ndash there would be no need for a police force Security tries to create such a perfect world not globally but in a controlled space
It tries to create a bubble within which there are no bad guys at a given time So it is as though the bad guys donrsquot exist
4Fall 2006
High-level look at High-level look at six principlessix principles of security of security thinking (Philosophy of mistrust) thinking (Philosophy of mistrust)
Donrsquot talk to any one you donrsquot know Accept nothing without a guarantee Take everyone as an enemy until proved
otherwise Donrsquot trust your friend for long Use well-tried solutions Watch the ground you are standing on for
cracks
5Fall 2006
1 Donrsquot talk to any one you donrsquot know1 Donrsquot talk to any one you donrsquot know
In the context of security this means you must be 100 certain about the identity of a device or person before you communicate
It is the job of security designers to bring you as close to 100 as you need
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
3Fall 2006
Security PrinciplesSecurity Principles
We define security in the context of two groups ldquoThe good guysrdquo and ldquoThe bad guysrdquo
It doesnrsquot matter if we are talking about people robots or computers
In our definition if there are no ldquobad guysrdquo you are secure by default
Imagine a perfect world with no crime ndash there would be no need for a police force Security tries to create such a perfect world not globally but in a controlled space
It tries to create a bubble within which there are no bad guys at a given time So it is as though the bad guys donrsquot exist
4Fall 2006
High-level look at High-level look at six principlessix principles of security of security thinking (Philosophy of mistrust) thinking (Philosophy of mistrust)
Donrsquot talk to any one you donrsquot know Accept nothing without a guarantee Take everyone as an enemy until proved
otherwise Donrsquot trust your friend for long Use well-tried solutions Watch the ground you are standing on for
cracks
5Fall 2006
1 Donrsquot talk to any one you donrsquot know1 Donrsquot talk to any one you donrsquot know
In the context of security this means you must be 100 certain about the identity of a device or person before you communicate
It is the job of security designers to bring you as close to 100 as you need
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
4Fall 2006
High-level look at High-level look at six principlessix principles of security of security thinking (Philosophy of mistrust) thinking (Philosophy of mistrust)
Donrsquot talk to any one you donrsquot know Accept nothing without a guarantee Take everyone as an enemy until proved
otherwise Donrsquot trust your friend for long Use well-tried solutions Watch the ground you are standing on for
cracks
5Fall 2006
1 Donrsquot talk to any one you donrsquot know1 Donrsquot talk to any one you donrsquot know
In the context of security this means you must be 100 certain about the identity of a device or person before you communicate
It is the job of security designers to bring you as close to 100 as you need
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
5Fall 2006
1 Donrsquot talk to any one you donrsquot know1 Donrsquot talk to any one you donrsquot know
In the context of security this means you must be 100 certain about the identity of a device or person before you communicate
It is the job of security designers to bring you as close to 100 as you need
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
6Fall 2006
2 Accept nothing without a guarantee2 Accept nothing without a guarantee
Guarantee means a guarantee of authenticity In other words it is the ldquoproofrdquo that the message
has not been changed (modified delayed or replaced)
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
7Fall 2006
3 Treat everyone as an enemy until proved 3 Treat everyone as an enemy until proved otherwiseotherwise
Emphasis on the importance of not giving information to anyone until that persondevice has proved identity
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
8Fall 2006
4 Donrsquot trust your friend for long4 Donrsquot trust your friend for long
ldquoMake new friends but keep the oldrdquo The word ldquokeeprdquo implies an active process a process of affirmation
So the keys passwords or certificates need to have a limited life You should keep reaffirming the relationship by renewing the tokens
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
9Fall 2006
5 Use well-tried solutions5 Use well-tried solutions
Part of security psychology involves developing a high level of mistrust for anything new to see how this affects peoplersquos devicersquos attitude
For example letrsquos take Encryption as an example The objective of encryption is to make the encrypted data look like perfectly random noise Good algorithm will make it totally random So no amount of analysis on the output stream would reveal any pattern
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
10Fall 2006
6 Watch the ground you are standing 6 Watch the ground you are standing on for crackson for cracks
The challenge for hackers of course is to look for the little cracks and crevices that result from hidden assumptions
For example a recent virus called ldquoCode Redrdquo (actually a worm) worked by exploiting the fact that when internal memory overflowed in a computer information was accidentally left in memory in a place that was accessible from outside
The system designers made the false assumption that buffers do not overflow and that if they do the excess buffers are properly thrown away
Almost certainly this was a subconscious assumption it was false and an attacker found it
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
11Fall 2006
High-level Attacker ProcessHigh-level Attacker Process
Target Identification
How you meet the goal
Capture necessary information
Analyze collected data
Pick the time to join the network
Reconnaissance
Collection
Analysis
Execution
Planning
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
12Fall 2006
Security TermsSecurity Terms
To set up a system in practice we need to implement the six principles covered in the previous section using mechanisms that tend to be similar from one system to the next
Threat Model Security Protocol Keys and passwords Key entropy Authentication Authorization Encryption
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
13Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Threat Model
We need a means to measure whether a security system meets its goal One way to understand the security goals in a given situation is to make a list of all types of attack that are known
This list is used to create the thread model which is the basis for designing and evaluating security
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
14Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Security Protocol Real security is provided by a set of processes
and procedures that are carefully linked together It is important to realize that even of the most
advanced encryption techniques are used you have no security if they are used together in the wrong way
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
15Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Keys and passwords Both refer to a piece of information that is intended
to be secret to two or more parties Password Conventionally the term is used to refer
to keys that are chosen by humans Keys The term is more often used to describe
information generated by machine that is usually not human readable bull You will often see the references to the Length of Key
For example the original IEEE 80211 had 40-bit keys whereas most Wi-Fi WEP (Wired Equivalent Privacy) systems have 128-bit keys
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
16Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Key entropy What is important about passwords and keys is the
number of different possible values a key can take Theoretically a 40-bit key has 240 possible values
So the number of possible key values determines the strength of the key and is known as the Key Entropy
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
17Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authentication The heart of security is the ability to distinguish the ldquogood
guysrdquo from the ldquobad guysrdquo If you canrsquot be sure whom you are talking to you canrsquot
protect yourself against attack Two type
bull User Authentication (you are talking to the person you are supposed to do so) and
bull Message authentication (Not tempered with delayed altered or copied)
networ
k
Unauthorized assumption ofanotherrsquos identity
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
18Fall 2006
Security terms (contrsquod)Security terms (contrsquod)
Authorization The fact that you know who someone is
(authenticate) doesnrsquot mean you always want to give him access
The decision to ldquolet him inrdquo is called authorization and always comes after authentication
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
19Fall 2006
Security terms (contrsquod)Security terms (contrsquod) Encryption
The process of combining a piece of data and a key to produce random-looking numbers is called Encryption
It is useful only if a known key can be used to transform the random-looking numbers back to the original data
Encryption algorithms are used to create security protocols
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
20Fall 2006
General Classification of AttacksGeneral Classification of Attacks
Snooping Modifications Masquerading Denial of Service
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
21Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Snooping Simply accessing private information For example
getting company secrets stock purchase decision blackmail
Encryption can be used to make snooping difficult where attacker needs to know the secret encryption key or to use some clever technique to recover the encrypted data
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
22Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Modifications For example if you can intercept a wireless
transmission and change the destination address field (IP address) on a message you could cause that message to be forwarded to you across the Internet instead of its intended recipient
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
23Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Masquerading When an attacking device impersonates a valid
device If the device can successfully fool the target
network into validating it as an authorized device the attacker gets all the access rights that the authorized device established during log on
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
24Fall 2006
General Classification of Attacks (Contrsquod)General Classification of Attacks (Contrsquod)
Denial of service (DoS)
Usually blocks out everything including the attacker
The objective of a DoS attack is to cause damage to the target by preventing operation of the network
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
25Fall 2006
Wireless AttacksWireless Attacks
Wireless introduces a whole new set of opportunities for attackers trying to get keys because it is so easy to access the data stream even though they may be encrypted
The problem for the attacker is that the data is encrypted and she needs the keys Assuming you donrsquot change the keys heshe has much time as she wants to capture sample messages and analyze them
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
26Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
To analyze the attacker to attack letrsquos look at some common terms
Plaintext The data before encryption ndash this is what we want to protect
Ciphertext The encrypted version that the enemy can see over the radio link
Keys The secret value that is used to encryptdecrypt the message
Cipher The algorithm and rules used to perform the encryption and decryption
Ciphertext = Cipher (Key Plaintext)
Attacker knows all three except the keys Once they have all three components they can attack on the keys
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
27Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force Dictionary Attacks Algorithmic Attack
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
28Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Attacking the keys through brute force
An attacker tries every possible key until he finds a match
Given that he knows ciphertext and cipher (algorithm) he can decrypt the message and see whether it matches the plaintext
The time taken for a brute force attack depends on the key size (key entropy)
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
29Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Dictionary Attacks
The enemy uses a huge dictionary or database containing all the likely passwords
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
30Fall 2006
Wireless Attacks (Contrsquod)Wireless Attacks (Contrsquod)
Algorithmic Attack
This approach is to try to break the algorithm that is try to find the flaws in the way the encryption is performed that might expose the key value
However understanding the weakness of a particular algorithm often requires that you are a cryptographic expert
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
31Fall 2006
Whatrsquos different about sensor netsWhatrsquos different about sensor nets
Stringent resource constraints Insecure wireless networks No physical security (new issue) Interaction with the physical environment (new
issue)
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
32Fall 2006
WSN SecurityWSN Security
Why security Why security is different in WSN
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
33Fall 2006
Why securityWhy security
Confidentiality Need the ability to conceal message from a passive
attacker Integrity
Need the ability to confirm the message has not been tampered with
Authentication Need to know if the messages are from the node it
claims to be from Access Control
Need the ability to determine if a node has the ability to use the resources
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
34Fall 2006
Why security is different in WSNWhy security is different in WSN
Sensor Node Constraints Battery (2xAA)
Processing power (8Mhz)
Memory (lt128KB Flash and lt4KB RAM)
Energy Usagebull 3V x (20 to 30)mA 18V x (1 to 10)mA
Networking Constraints Wireless Ad hoc Unattended
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
35Fall 2006
ChallengeshellipChallengeshellip
Must avoid complex key management Simple and must be super-easy to deploy
Crypto must run on wimpy devices Wersquore not talking 2GHz P4rsquos here Dinky CPU (4-8 MHz) little RAM ( 256 bytes) lousy
battery Public-key cryptography NO ECC
Need to minimize packet overhead Radio is very power-intensive
bull 1 bit transmitted 1000 CPU ops TinyOS packets are 28 bytes long
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
36Fall 2006
Attacks on sensor netsAttacks on sensor nets
Spoofed altered or replayed routing information
Create routing loop attract or repel network trafficextend or shorten source routes generate false errormessages etc
Selective forwarding
Either in-path or beneath path by deliberate jamming allows to control which information is forwarded A malicious node act like a black hole and refuses to forward every packet it receives
Sinkhole attacks Attracting traffic to a specific node eg to prepare selective forwarding
Sybil attacks A single node presents multiple identities allows to reduce the effectiveness of fault tolerant schemes such as distributed storage and multipath etc
Wormhole attacks Tunneling of messages over alternative low-latency links to confuse the routing protocol creating sinkholes etc
Hello floods An attacker sends or replays a routing protocols hello packets with more energy
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
37Fall 2006
An Example (WSN application)An Example (WSN application)
network
basestation29deg
25deg
30deg27deg
31deg
Avg Temp
Avg X = (x1 + hellip + xn) n
Computing the average temperature
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
38Fall 2006
An Example + An Example + an attackan attack
Computing the average temperature
network
basestation29deg
25deg
30deg27deg
Avg Temp
Avg X = (x1 + hellip + xn) n
31deg 100deg result is drastically affected
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
39Fall 2006
CryptographyCryptography
Secret key cryptography Faster Consume much less computation energy Key management is an issue
Public key cryptography Requires more computation power and memory Cost more energy Has been thought as impossible in WSNs Key management is easier
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
40Fall 2006
Limitations of cryptographyLimitations of cryptography
Canrsquot prevent traffic analysis Canrsquot prevent re-transmitted packets Canrsquot prevent replayed packets Canrsquot prevent delayed packets Canrsquot prevent packets from being jammed Canrsquot prevent malicious insiders captured nodes
Crypto is not magic fairy dust
It wonrsquot magically make insecure services secure
Proper key management can help in a better way to protect sensory data
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
41Fall 2006
Key Management GoalsKey Management Goals
The protocol must establish a key between all sensor nodes that must exchange data securely
Node addition deletion should be supported It should work in undefined deployment
environment Unauthorized nodes should not be allowed to
establish communication with network nodes
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
42Fall 2006
Key Management SchemesKey Management Schemes
Trusted Server Scheme Depends on trusted server like Kerberos no trusted
infrastructure in WSN Asymmetric (Public Key) Scheme
Infeasible due to limited resources in WSN Key Pre-Distribution Scheme
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
43Fall 2006
Key pre-distributionKey pre-distribution
Master key approach Memory efficient but lack the security All sensors use one master key to communicate with the rest of the
sensor nodes Pros Efficient use of memory since the sensor only needs to save one
key Cons Compromising one sensor node will compromise the whole
network
Pair-wise key approach N-1 keys for each node Good security Requires a lot of memory Lack of scalability
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
44Fall 2006
Key pre-distribution Key pre-distribution ((Conventional Random Pair-wise schemeConventional Random Pair-wise scheme))
Requires a large storage space for keys in a large WSN
A E
D GB
C F
K1
K2
K3
K4
K5
K6
K7
K2 K3 K4 K5 K6 K7
K1 K3 K4 K5 K6 K7
K1 K2 K4 K5 K6 K7
K1 K2 K3 K5 K6 K7
K1 K2 K3 K4 K6 K7
K1 K2 K3 K4 K5 K7
K1 K2 K3 K4 K5 K6
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
45Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
1K 1K
2K
2K
Secure linkSensor nodes
1K 1K
2K
2K
Communication keys
AB
C
D
A BC
D
A BC
D
Shared key discovery Each sensor node broadcasts a key identifier list and compares the list of identities received to the keys in their key chains Note that more than one pair may share the same key
L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47 November 2002 (CCSrsquo02)
Each node randomly picks r keys from a unordered key pool S Use the common shared key to establish a secure link Relies on probabilistic key sharing among the nodes of a random
graph
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
46Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
The probability that two key rings share at least a key is
1 - Pr[two nodes do not share any key]
To compute the probability that two key rings do not share any key we note that each key of a key ring is drawn out of a pool of P keys without replacement Thus the number of possible key rings is
Pick the first key ring The total number of possible key rings that do not share a key with this key
ring is the number of key-rings that can be drawn out of the remaining P minus k unused key in the pool
namely
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
47Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Therefore the probability that no key is shared between the two rings is the ratio of the number of rings without a match by the total number of rings
Thus the probability that there is at least a shared key between two key rings is
1-
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
48Fall 2006
Key pre-distribution Key pre-distribution ((Random Key Based basic SchemeRandom Key Based basic Scheme))
Probability of sharing at least one key
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
49Fall 2006
Key pre-distribution (other approaches)Key pre-distribution (other approaches)
Key management by Eschenauer et al in ACM CCSrsquo02 SPINS by Perrig et al in Wireless Networks Journal (WINE)
2002 Random Key Assignment by pietro et al in ACM SASN 03 Establishing Pairwise Keys by Liu et al in ACM CCSrsquo03 LEAP by Zhu et al in proc of ACM CCSrsquo03 Pairwise Key Pre-distribution by Du et al in ACM CCSrsquo03 Random Key Predistribution by Chan et al in IEEE SampPrsquo03 Deployment knowledge by Du et al in IEEE INFOCOM04 TinySec by Chris Karlof et al UC Berkeley in SenSysrsquo04
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
50Fall 2006
TinySecTinySec
Integration OS TinyOS 110 Processors Mica Mica2 Mica2Dot using Atmel Processors Radio RFM TR1000 and Chipcon CC1000 SIM TOSSIM simulator
Implementation 3000 lines of NesC code RAM 455 bytes (not an issue for applications can be reduced to 256 bytes) MEM 7000 bytes of program space
Usage Build maintains a key file and uses a key from the file includes the key at
compile time Application ldquomake TINYSEC=true helliprdquo to enable TinySec-Auth A Link Layer Security Architecture for Wireless Sensor Networks
bull Provides access control message integrity message confidentialitybull Leave replay protection tasks to application layer
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
51Fall 2006
Key Management ArchitecturesKey Management Architectures
LEAP low-energy adaptive clustering hierarchybull Utilizes 4 types of keys for different security levels individual key
shared only with the base station a pairwise key shared with another sensor node a cluster key shared with multiple neighboring nodes a group key shared by all the nodes in the networks
bull Advantage supports in-network processing while minimizing the security impact of a compromised node to its immediate neighbors
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
52Fall 2006
Key Management ArchitecturesKey Management Architectures
LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networksbull A secure multicast scheme enforcing backward and forward
secrecy
bull Uses a tree structure to store keys to increase the efficiency of re-keying
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
53Fall 2006
Key Management ArchitecturesKey Management Architectures
Random Key Pre-distributionbull A random pool of keys from the key space is preloaded into each
node
bull To secure communication link two nodes find a common key in their sets
bull Provides complete resilience against node capture
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
54Fall 2006
Key Management ArchitecturesKey Management Architectures
TinyPKbull An effort to adapt public cryptography techniques to sensor
devices
bull Uses RSA cryptosystem to tackle symmetric key distribution
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
55Fall 2006
Key Management Architectures (Key Management Architectures (Energy ConsumptionEnergy Consumption))
For the majority of communications ranges the dual-protocol hybrid schemes are significantly more energy-efficient with the Pair-wise-Simple Key Distribution Center (SKDC) hybrid being most efficient
BD Burmester-Desmedt GDH Group Diffie-Hellman SKDC Pair-wise-Simple Key
Distribution Center
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
56Fall 2006
Secure RoutingSecure Routing
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information selective forwarding sinkholes Sybil wormholes HELLO floods
Directed diffusion and its multipath variant
Bogus routing information selective forwarding
sinkholes Sybil wormholes HELLO floods
Geographic routing (GPSR GEAR)
Bogus routing information selective forwarding Sybil
Minimum cost forwarding Bogus routing information selective forwarding
sinkholes wormholes HELLO floods
Clustering based protocols (LEACH TEEN PEGASIS)
Selective forwarding HELLO floods
Rumor routing Bogus routing information selective forwarding sinkholes Sybil wormholes
Energy conserving topology maintenance (SPAN GAF CEC AFECA)
Bogus routing information Sybil HELLO floods
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
57Fall 2006
Secure Routing (Secure Routing (an examplean example))
The typical tree-structured hierarchy of a wireless sensor network
A malicious compromised node m can affect immediate neighbors as well as their downstream children
Problem
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
58Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Intrusion tolerance
Limited broadcast using one way hash chains (OHCs) INSENS permits only base stations to initiate flooding of the network eg to set up routing information
Multipath routing multiple disjoint paths are set up from each sensor node
Limited routing updates Only the base station is allowed to update a nodersquos data routing table
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
59Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Defense
INSENS Intrusion-tolerant routing for wireless sensor networks
Adaptation to resource constraints Symmetric key cryptography is chosen to implement confidentiality and
authentication between the base station and each resource-constrained sensor node
Complexity is pushed away from resource-poor sensor nodes and into the resource-rich base station
lightweight bidirectional verification is applied to defend against the rushing attack The nested message authentication code (MAC) is used as a countermeasure against the wormhole attack
Multipath routing to Multiple Base stations Schemes are presented to improve the tolerance of routing
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
60Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Three Phases of Basic INSENS (a) ROUTE REQUEST is flooded from the base station (only one path is shown
here) (b) ROUTE REPLIES are unicast back to the base station from each sensor
node containing neighborhood topology information (c) A routing table is securely unicast to each node in a breadth-first manner
establishing multipath routing
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
61Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Enhanced single-phase INSENS (a) Secure REQ message flooding (b) Builds a secure routing tree (c) A standard rushing attack (d) Rushing attack is blocked by the echo-back countermeasure
simple echoback scheme
In this scheme a node x only forwards the REQ
messages for the nodes that can receive a
message from x Those nodes are termed xrsquos
reachable neighbors
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
62Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of node failures (a) INSENS builds multiple paths to bypass compromised
nodes
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
63Fall 2006
Secure Routing (Contrsquod)Secure Routing (Contrsquod)
Effects of rushing attack during multipath routing setup (Single and multiple base stations) (a) The echo-back approach is very effective in limiting the rushing
attack
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
64Fall 2006
Threats Attacks amp DefensesThreats Attacks amp Defenses
Physical layer Jamming interference with radio frequencies used
by a nodersquos transceiverbull Spread-spectrum communicationbull Priority messagesbull Lower duty cyclebull Mode change bull Jammed Area Mapping service
Node tampering attack data confidentiality robustness and survivabilitybull Tamper-proofing automatically erase sensitive
cryptographic informationbull Hidingbull Software algorithms for reducing revealed secret
information
Jamming attack
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
65Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Link layer Collision prevent nodes from successfully
transmitting packetsbull Error-correcting codes (partly)
Exhaustion exhaustion of a networkrsquos battery powerbull Rate limitation
Unfairness induce unfairness in the priorities for granting medium accessbull Use of small frames so that an individual node
can capture the channel only for a short time
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
66Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer Passive information gathering
bull Strong encryption techniques need to be used
False routing informationbull Strong authentication techniques
Selective forwarding malicious nodes may intentionally drop some packets and selectively forwards other packetsbull Redundant routesbull Redundant messagesbull IDS for sensor networks to detect
malicious nodes
BA1
A3
A2
A4
False Routing Information
Example captured node attracts traffic by advertising shortest path to sink high battery power etc
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
67Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Sybil attack a single node claims to be
other nodes in the networksbull Authentication and encryption
techniques
Sinkhole attack tempt nearly all the traffic from a particular area through a compromised node creating a metaphoric sinkhole with the adversary at the centerbull Authentication and encryption
techniques
Node A performs a Sybil attack against S
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
68Fall 2006
An Example of Sybil AttackAn Example of Sybil Attack
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
69Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) Wormhole attack an adversary
tunnels messages received in one part of the network over a low latency link and replays them in a different partbull No detecting technique is feasible for
sensor networks
bull Avoid routing race conditions
bull Packet Leashes to defend against this attack
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
70Fall 2006
Threats Attacks amp Defenses (Contrsquod)Threats Attacks amp Defenses (Contrsquod)
Network layer (Contrsquod) HELLO Flood Attack
bull Many WSN routing protocols require nodes to broadcast HELLO packets after deployment which is a sort of neighbor discovery based on radio range of the node
bull Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
Defense Authentication verify the bidirectional linkDefense Authentication verify the bidirectional link
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
71Fall 2006
Attacks and Countermeasures at a glanceAttacks and Countermeasures at a glance
Layer Attacks Defense
Physical Jamming
Tampering
Spread-spectrum priority messages lower duty cycle Region mapping mode change
Tamper-proofing hiding
Link Collision
Exhaustion
Unfairness
Error-correcting code
Rate limitation
Small frames
Network and routing
Spoofed altered or replayed routing information
Selective forwarding
Sinkhole
Sybil
Wormhole
Hello flood attacks
Acknowledge spoofing
Egress filtering authentication monitoring
Redundancy probing
Authentication monitoring redundancy
Authentication probing
Authentication packet leashes
Authentication verify the bidirectional link
Authentication
Transport Flooding
Desyncrhonization
Client puzzles
Authentication
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
72Fall 2006
Security ConclusionsSecurity Conclusions
No versatile security mechanism can solve all security issues in Sensor Network
Each situation and application of sensor network with specific security requirements need distinct and specific solutions
Security issues should be solved in each layer and there is a cooperation between those solutions
Communication protocols dealing with cryptographic algorithms used to achieve availability confidentiality integrity and authentication
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
73Fall 2006
Security Conclusions (Contrsquod)Security Conclusions (Contrsquod)
Key management architectures handling the complexities of creating and distributing keys used by communication
Discovery of variety of attacks threats and proper preventive methods
Integrating research directions into complete security solutions for different kinds of sensor networks for different kind of application
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
74Fall 2006
References (References (Key Management)Key Management)
[1] Chan A Perrig and D Song Random Key Predistribution Schemes for Sensor Networks IEEE Symposium on Security and Privacy (SP)
[2] Sencun Zhu Sanjeev Setia Sushil Jajodia LEAP Efficient Security Mechanisms for Large-Scale Distributed Sensor Networks In The Proceedings of the 10th ACM conference on Computer and communications security 2003
[3] Pietro RD LV Mancini YW Law S Etalle and P Havinga LKHW A Directed Diffusion-Based Secure Multicast Scheme for Wireless Sensor Networks International Conference on Parallel Processing Workshops (ICPPWrsquo03)
[4] Malan DJ Welsh M and Smith MD A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography Proc IEEE SECON 2004 4-7 Oct 2004 pp 71 - 80
[5] Adrian Perrig Robert Szewczyk Victor Wen David Culler J D Tygar SPINS Security Protocols for Sensor Networks In The Seventh Annual International Conference on Mobile Computing and Networking (MobiCom 2001) 2001
[6] Chris Karlof Naveen Sastry David Wagner TinySec A Link Layer Security Architecture for Wireless Sensor Networks ACM SenSys 2004 November 3-5 2004
[7] L Eschenauer V D Gligor ldquoA Key-Management Scheme for Distributed Sensor Networksrdquo 9th ACM Conference on Computer and Communication Security pp41-47
[8] Gaurav Jolly Mustafa C Ku1048826ccedilu Pallavi Kokate and Mohamed Younis ldquoA Low-Energy Key Management Protocol for Wireless Sensor Networksrdquo Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCCrsquo03)
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
75Fall 2006
References (References (Attacks and Counter Measures)Attacks and Counter Measures)
[1] Chris Karlof David Wagner In Secure Routing in Wireless Sensor Networks Attacks and Countermeasures
[2] J R Douceur ldquoThe Sybil Attackrdquo in 1st International Workshop on Peer-to-Peer Systems (IPTPS rsquo02) March 2002
[3] Y-C Hu A Perrig and D B Johnson ldquoWormhole detection in wireless ad hoc networksrdquo Department of Computer Science Rice University Tech Rep TR01-384 June 2002
[4] JYih-Chun Hu Adrian Perrig David B Johnson ldquoPacket Leashes A Defense against Wormhole Attacks in Wireless Ad Hoc Networksrdquo Technical Report TR01-384 December 17 2001
[5] Y Hu A Perrig and D Johnson ldquoRushing attacks and defense in wireless ad hoc network routing protocolsrdquo Second ACM Workshop on Wireless Security (WiSersquo03) San Diego CA USA 2003
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
76Fall 2006
References (References (Secure Routing)Secure Routing)
[1] J Deng R Han and S Mishra INSENS Intrusion-Tolerant Routing in Wireless Sensor Networks Poster paper In the 23rd IEEE International Conference on Distributed Computing Systems (ICDCS 2003) Providence RI (May 2003)
[2] J Deng R Han and S Mishra A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks In the 2nd IEEE International Workshop on Information Processing in Sensor Networks (IPSN 2003) Palo Alto CA (April 2003)
[3] Anthony D Wood Lei Fang Tian He ldquoSIGF A Family of Configurable Secure Routing Protocols for Wireless Sensor Networksrdquo SASNrsquo06 October 30 2006 Alexandria Virginia USA
[4] P Papadimitratos and Z Haas Secure routing for mobile ad hoc networks In SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002) Jan 2002
[5] Y-C Hu A Perrig and D B Johnson Ariadne a secure on-demand routing protocol for ad hoc networks In Proceedings of the Eighth Annual International Conference on Mobile computing and Networking pages 12ndash23 Sept 2002
[6] Y-C Hu D B Johnson and A Perrig Secure efficient distance vector routing in mobile wireless ad hoc networks In Proceedings of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA) pages 3ndash13 June 2002
[7] K Akkaya M Younis A survey on routing protocols for wireless sensor networks To appear in Journal of Ad Hoc Networks
[8] J Deng R Han S Mishra Inrusion tolerance and anti-traffic analysis strategies in wireless sensor networks In IEEE International Conference on Dependable
77Fall 2006
Thanks Thanks
77Fall 2006
Thanks Thanks